[heap] Slot snapshot for visiting JSObjects in concurrent marker.

[heap] Slot snapshot for visiting JSObjects in concurrent marker.

The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make it we safe for the concurrent marker, we require
synchronization using the object markbits.

The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successful transition of the object
  from grey to black.

Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.

BUG=chromium:694255
Review-Url: https://codereview.chromium.org/2876553002
Cr-Commit-Position: refs/heads/master@{#45254}
Committed: https://chromium.googlesource.com/v8/v8/+/8a5382b78947fb126ad5a81051c2aced40e97d2e

[ulan, 2017-05-10 14:18:10]

Description was changed from

==========
[heap] Slot snapshot for visiting JSObjects in concurrent marker.

The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make we safe for the concurrent marker, we require
synchronization using the object markbits.

The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successfull transition of the object
  from grey to black.

Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.

BUG=chromium:694255
==========

to

==========
[heap] Slot snapshot for visiting JSObjects in concurrent marker.

The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make it we safe for the concurrent marker, we require
synchronization using the object markbits.

The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successful transition of the object
  from grey to black.

Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.

BUG=chromium:694255
==========

[ulan, 2017-05-10 14:18:22]

ulan@chromium.org changed reviewers:
+ hpayer@chromium.org, mlippautz@chromium.org

[ulan, 2017-05-10 14:18:23]

ptal

[Michael Lippautz, 2017-05-10 15:56:34]

lgtm

[Hannes Payer (out of office), 2017-05-11 10:40:16]

lgtm

[ulan, 2017-05-11 10:40:46]

The CQ bit was checked by ulan@chromium.org

[commit-bot: I haz the power, 2017-05-11 10:40:54]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-05-11 11:11:11]

CQ is committing da patch.

Bot data: {"patchset_id": 40001, "attempt_start_ts": 1494499246153400,
"parent_rev": "9acc66cd8328fdf51ec0f2fe3fd0109dd910dd55", "commit_rev":
"8a5382b78947fb126ad5a81051c2aced40e97d2e"}

[commit-bot: I haz the power, 2017-05-11 11:11:17]

Description was changed from

==========
[heap] Slot snapshot for visiting JSObjects in concurrent marker.

The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make it we safe for the concurrent marker, we require
synchronization using the object markbits.

The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successful transition of the object
  from grey to black.

Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.

BUG=chromium:694255
==========

to

==========
[heap] Slot snapshot for visiting JSObjects in concurrent marker.

The mutator can convert a pointer slot of a JSObject to an unboxed
double slot. To make it we safe for the concurrent marker, we require
synchronization using the object markbits.

The concurrent marker visits the JSObject as follows:
- save snapshot of object slot addresses and values.
- visit the snapshot only after successful transition of the object
  from grey to black.

Before an unsafe layout change the mutator colors the object black
and visits it using the bailout marking deque.

BUG=chromium:694255

Review-Url: https://codereview.chromium.org/2876553002
Cr-Commit-Position: refs/heads/master@{#45254}
Committed:
https://chromium.googlesource.com/v8/v8/+/8a5382b78947fb126ad5a81051c2aced40e...
==========

[commit-bot: I haz the power, 2017-05-11 11:11:18]

Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/v8/v8/+/8a5382b78947fb126ad5a81051c2aced40e...